IRS Erroneously Shared Taxpayer Data with DHS in Immigration Enforcement Dispute
A controversial data-sharing agreement between the IRS and the Department of Homeland Security (DHS) has led to the unauthorized disclosure of thousands of taxpayers’ confidential records, according to a recent court filing. The agreement, signed in April 2023 by Treasury Secretary Scott Bessent and DHS Secretary Kristi Noem, authorized U.S. Immigration and Customs Enforcement (ICE) to submit names and addresses of undocumented immigrants to the IRS for cross-verification against tax records ostensibly to aid deportation efforts.
However, IRS Chief Risk and Control Officer Dottie Romo revealed in a declaration filed this week that the agency erroneously shared additional taxpayer information with ICE, including residential addresses, for roughly 47,000 of the 1.28 million names requested. The IRS later acknowledged the error in January, notifying DHS and requesting the improperly shared data be disposed of in accordance with federal law. Advocacy groups, including Public Citizen and the Center for Democracy & Technology, argue the breach violates long-standing privacy protections and could endanger individuals if misused by enforcement agencies.
The incident has intensified legal challenges to the IRS-DHS agreement. In November 2023, a federal court blocked the IRS from sharing tax data with DHS, ruling that the agency had unlawfully disseminated migrants’ records the previous summer. A Massachusetts federal court later ordered the IRS to halt the sharing of residential addresses with ICE. The dispute stems from a lawsuit filed by immigrant rights groups shortly after the agreement was signed, which alleged the policy undermined taxpayer privacy and legal safeguards.
Critics warn the breach could have broader implications, including the potential for malicious targeting of Americans or further erosion of trust in tax confidentiality. The IRS has not publicly commented on the matter, and the extent of ICE’s use of the shared data remains unclear. The case underscores ongoing tensions between immigration enforcement and data privacy protections within federal agencies.
Internal Revenue Service TPRM report: https://www.rankiteo.com/company/irs
"id": "irs1770978857",
"linkid": "irs",
"type": "Breach",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '47,000 taxpayers',
'industry': 'Taxation/Government',
'location': 'United States',
'name': 'Internal Revenue Service (IRS)',
'size': 'Large',
'type': 'Government Agency'},
{'industry': 'Immigration Enforcement/Government',
'location': 'United States',
'name': 'Department of Homeland Security (DHS)/ICE',
'size': 'Large',
'type': 'Government Agency'}],
'data_breach': {'data_exfiltration': 'Shared with ICE',
'number_of_records_exposed': '47,000',
'personally_identifiable_information': 'Names, residential '
'addresses',
'sensitivity_of_data': 'High (PII, residential addresses)',
'type_of_data_compromised': 'Taxpayer records, residential '
'addresses'},
'date_detected': '2024-01',
'description': 'A controversial data-sharing agreement between the IRS and '
'the Department of Homeland Security (DHS) led to the '
'unauthorized disclosure of thousands of taxpayers’ '
'confidential records. The IRS erroneously shared additional '
'taxpayer information, including residential addresses, with '
'ICE for roughly 47,000 of the 1.28 million names requested, '
'violating privacy protections and potentially endangering '
'individuals.',
'impact': {'brand_reputation_impact': 'Erosion of trust in tax '
'confidentiality',
'data_compromised': 'Taxpayer records, residential addresses',
'identity_theft_risk': 'High (residential addresses exposed)',
'legal_liabilities': 'Ongoing lawsuits, regulatory violations',
'operational_impact': 'Legal challenges, policy suspension',
'systems_affected': 'IRS data-sharing systems'},
'investigation_status': 'Ongoing (legal challenges, policy review)',
'lessons_learned': 'Need for stricter controls on government data-sharing '
'agreements; potential risks of exposing sensitive '
'taxpayer information to enforcement agencies.',
'motivation': 'Immigration Enforcement',
'post_incident_analysis': {'corrective_actions': 'Court-ordered suspension of '
'data sharing; policy '
'review; potential '
'legislative reforms',
'root_causes': 'Flawed data-sharing agreement; '
'lack of procedural safeguards; '
'miscommunication between IRS and '
'DHS'},
'recommendations': 'Review and strengthen IRS-DHS data-sharing policies; '
'implement audit mechanisms for inter-agency data '
'requests; enhance transparency and public accountability.',
'references': [{'source': 'Court filing (IRS Chief Risk and Control Officer '
'Dottie Romo)'},
{'source': 'Public Citizen and Center for Democracy & '
'Technology'},
{'source': 'Federal court rulings (Massachusetts)'}],
'regulatory_compliance': {'legal_actions': 'Ongoing lawsuits (e.g., immigrant '
'rights groups)',
'regulations_violated': ['Taxpayer privacy '
'protections',
'Federal data-sharing '
'laws']},
'response': {'communication_strategy': 'Limited public comment',
'containment_measures': 'IRS requested improperly shared data be '
'disposed of',
'remediation_measures': 'Policy suspension, court-ordered halt '
'to data sharing'},
'stakeholder_advisories': 'Immigrant rights groups, taxpayer advocacy '
'organizations',
'threat_actor': 'Government Agency (IRS/DHS)',
'title': 'IRS Erroneously Shared Taxpayer Data with DHS in Immigration '
'Enforcement Dispute',
'type': 'Data Breach',
'vulnerability_exploited': 'Policy/Procedural Failure'}